Beefy Boxes and Bandwidth Generously Provided by pair Networks Cowboy Neal with Hat
Clear questions and runnable code
get the best and fastest answer
 
PerlMonks  

Encrypt files on server and then decrypt when user downloads

by MPM (Novice)
on Oct 19, 2012 at 18:51 UTC ( #1000019=perlquestion: print w/ replies, xml ) Need Help??
MPM has asked for the wisdom of the Perl Monks concerning the following question:

Hello, I'm working on an web application that basically allows a user to download files stored locally on the server. There is more security than that but that is the general idea. There are multiple users that access the system and can potentially be accessing the same files right around the same time. Below is a highly simplified sample of the code

use CGI; my $q = CGI->new; my $file = '/home/somelocation/somefile.pdf'; open(MYFILE,$file) or return(0); print $q->header(-type => 'application/pdf', ); binmode (MYFILE); binmode(STDOUT); {local $/; print <MYFILE>} close MYFILE;

What I am trying to do is add decryption to the process. I'm thinking I'd write a script to encrypt all the files. Then I'd like to modify the code above so that as a user tries to download the file, it is decrypted and the user can save the file. How can I do this. Again, multiple people may be accessing the same file and the files may be very large. Any help would be greatly appreciated. TIA

MPM

Comment on Encrypt files on server and then decrypt when user downloads
Download Code
Re: Encrypt files on server and then decrypt when user downloads
by moritz (Cardinal) on Oct 19, 2012 at 19:03 UTC

    Simply configure your web server to use SSL. Then the files (and indeed the whole HTTP response) are encrypted on the server, and decrypted automatically on the client side.

    Even better, you don't have to deal with encryption in your own code (which is always a hairy subject to get right), and your users don't have to mess with manually decrypting files. Big win for everybody, I'd say.

          Simply configure your web server to use SSL.

      I wasn't going to suggest that, however you are very correct. Reason I wasn't going to suggest that is depending on his web environment it may not be an option. For instance hosting companies usually (well... that is less true these days) charge a premium for SSL enabled hosting. In a corporate environment SSL usually incurs a cost that some management won't approve.


      Peter L. Berghold -- Unix Professional
      Peter -at- Berghold -dot- Net; AOL IM redcowdawg Yahoo IM: blue_cowdawg
        For instance hosting companies usually (well... that is less true these days) charge a premium for SSL enabled hosting. In a corporate environment SSL usually incurs a cost that some management won't approve.

        That might be true, but I don't think one can expect to come up with a self-made solution that comes near to SSL in terms of security, and that doesn't cost much more in total, if you include cost for development and maintenance of the custom solution.

      SSL is being used. However, I'm looking to protect against the situation where someone gets on the server. I don't want them to be able to view the files directly on the machine or be able to copy them to another machine and then view them. So I'm more looking to protect the files, not protect the data on the files while they are downloading them. Thanks for the response though.

        oh, and just to add, I thought maybe gpg but I'm not sure how that would be done and I'm not sure if that would be the best solution

        I'm looking to protect against the situation where someone gets on the server. I don't want them to be able to view the files directly on the machine or be able to copy them to another machine and then view them.

        If you are going to decrypt them during download, and the bad guys have access to the server, they would only need to inspect your download script to see how to decrypt the files.

        If they can copy the encrypted file, they can also copy the decryption script and perform the decryption on their own machine at their leisure.

        The only way to protect the files on a compromised server would be for the users to download them encrypted and decrypt them locally using local software and keys known only to themselves. For example, if you encrypted the files for each user using their public key, and they decrypt them locally using their private key.

        The downside of that is that you would have to encrypt files that may be downloaded by multiple users, multiple times, and keep multiple, unique copies of them.


        With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'
        Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
        "Science is about questioning the status quo. Questioning authority".
        In the absence of evidence, opinion is indistinguishable from prejudice.

        RIP Neil Armstrong

Re: Encrypt files on server and then decrypt when user downloads
by sundialsvc4 (Monsignor) on Oct 19, 2012 at 20:40 UTC

    I would echo the prevailing sentiment here, that ultimately you must trust something.   You can certainly store encrypted files on the server.   (There are probably more advantages to that, than “encrypting on the fly.”)   Perhaps a public-key encryption scheme could be used for processing the content at the user end.

Re: Encrypt files on server and then decrypt when user downloads
by zentara (Archbishop) on Oct 20, 2012 at 09:35 UTC
    If you want any sort of real encryption security, use GPG. But, if you are willing to use a laxer bit of security, you might try experimenting with html keys auth. See client ssl certs.

    Also, I do believe there are some javascript routines around that might be able to do some basic encryption like Base64, that might help you at least keep plain readable text out of the network traffic, if you decrypt on the server.

    And this isn't Perl, but if you look at Processing.js you can write some easy code to embed your own java decrypter application that would be able to decrypt what comes in and display it in it's own canvas window id of the DOM. But to explain that is too complicated to do in a forum like this. If you can figure it out, good, but otherwise don't ask me how. :-)


    I'm not really a human, but I play one on earth.
    Old Perl Programmer Haiku ................... flash japh

      Thank you everyone for the input, but regardless of whether it makes complete sense to do, it's something a client wants done. Ideally, the file would be be decrypted on the user's end, but that is not a possibility ( potentially thousands of not so technical users). So GPG IS what I think I should use. I'm am looking for some guidance on how to actually accomplish it with Perl.

        If by decrypt when the user downloads means that the server just spits out a decrypted GPG pipe, and sends plain text over the network to the client, that is fairly easy, but I would'nt call it secure. Anyone can see all your files by sniffing the network.

        So you are stuck sending information thru GPG encrypted mail, because I don't think GPG has a browser plugin to decode web content. Another limited option would be making GPG encrypted files available for HTML download.

        You are asking for free easy help for a big time program. Google for Perl GPG HTML and Linux GPG webmail , and you should get some pretty good guidance by going thru the links. Personally, I really like the new javascript methods around now, as I mentioned in reference to Processing.js. That way, if you could write a .pde script for Processing, you could setup a fairly secure channel to the client. And run it in the DOM , as a javascript application with a canvas id . My rational is that I don't think you can encode web content with GPG, you can only send encrypted mails. So you will need a custom Processing script to do the decoding on the client end. Maybe not GPG, but you could make up your own decoder, within the limits of what javascript will allow. You could decode on the server, and feed the data stream to a custom canvas running under Processing.js, which could run a simpler faster algorithm like RC4, Blowfish, or Rijandael. You could just implement the old "Caesar's Cipher" for encryption... ;-)

        But it isn't Perl, so all I will do, is leave it at that. From what I understand, someone is working on something similar for Perl, call Perlito, but I doubt it will ever eclipse the geniuses at M.I.T who produced Processing and Processing.js.


        I'm not really a human, but I play one on earth.
        Old Perl Programmer Haiku ................... flash japh

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://1000019]
Approved by moritz
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others examining the Monastery: (14)
As of 2014-04-21 16:10 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    April first is:







    Results (496 votes), past polls